Astaroth- The Tojan That Abuses Anti-Virus Software To Steal Data

Astaroth- The Tojan That Abuses Anti-Virus Software To Steal Data
A new Trojan has surfaced which disguises itself as GIF and
image files and tries to exploit the anti-virus software to harvest the data on
the user’s PC.

A security research team brought the situation to everyone’s
notice that this variant supposedly makes use of the modules in the
cyber-security software.
The exploitation of the modules leads to the cyber-con
getting hold of the victim’s data including online credentials
The Trojan in the guise of an extension-less files tries to move
around the victim’s PC undetected.
By the use of spam emails and phishing messages, the victim’s
lured into downloading the malicious file and then the actual Microsoft Windows
BITSAdmin tool is used to download the full payload from a command-and-control
(C2) server.
The malware then launches an XSL script and finalizes a
channel with the C2 server. The script is obfuscated and contains functions to
shroud itself from the anti-virus software.
The same script is responsible for the process which
influences BITSAdmin to download payloads which include Astaroth from a
different C2 server.
The old version of this Trojan used to launch a scan to look
for the anti-virus programs, and in case of the presence of “Avast”, the
malware used to quit.
But as it turns out with Astaroth, the antivirus software
would now be abused and a malicious module would be injected into one of its
processes.
The exploitation of these systems is called LOL bins, Living
Off the Land binaries. GAS, an anti-fraud security program could be abused in
the same way.
This Trojan first surfaced in the year 2017 in South America.
It targets machines, passwords and other data. Astaroth is also capable of
Keylog and could intercept calls and terminate processes.
The malware employs a “ fromCharCode() deobfuscation ”
method to conceal code execution, which is an upgrade on older versions of
Astaroth.

LOLbins seem to have a lot of malicious potential including
stealing credentials and personal data. This method is highly attractive to cyber-cons
and hence needs to be prepared against.

Share this with Your friends:

Leave a Reply

Your email address will not be published. Required fields are marked *